I know that 1PW has never been hacked. Do you know if that is also the case for Bitwarden? I trust 1PW. I’m more leery of other solutions, though I can’t explain why other than “mind share” from this forum.
I’ve never tried one as I drink my coffee black. I’ll have to give it a try!
1 Like
Bitwarden has not been hacked so far.
2 Likes
I love the idea of passkeys but I found their current implementation confusing and convoluted and switching back to 1p required a lot less thinking.
I can’t remember the specifics, but I thought they’d be easier, so I gave up. Maybe next year…
2 Likes
@Bmosbacker, I think others have already commented on some of the pros of 1Password/Bitwarden over Keychain (which I don’t know well). There are a couple of things I did not see mentioned:
1) Passkeys and Multifactor Authentication (MFA)
1Password and some others will handle passkeys and can also act as your authenticator app for MFA. Ideally, you would use a password manager and an independent MFA (DUO/Yubikey/Microsoft/Google/etc.), which adds friction. Allowing 1Password to also be your MFA adds additional security in a case such as a data breach from a vendor that leaks your username and password. The additional layer of MFA would mitigate a threat actor from gaining access. The downside is that if a threat actor gains access to your 1Password, they also have access to your MFA. Passkeys are their own topic, and there’s plenty of material on the web about them, but you’re likely to see more vendors offering them as a more secure option.
2) Emergency/Disaster Recovery/End of Life
Everyone’s situation differs, but I would also consider emergency access, disaster recovery, and end-of-life scenarios in your decision. Be sure to test for these situations as well. It could be a stolen/lost/bricked device. It could be an untimely hospitalization or death. I have a wife and three daughters (1 headed into a Masters degree and 2 still at home). What happens if I’m unexpectedly not around? What happens if my wife and I get into an auto accident together this afternoon? This is a big topic, but one aspect is giving the right people the right access at the right time. I need the peace of mind of knowing my wife can access everything and continue without me. In the event my wife and I are both unavailable, my daughter has instructions on how to gain access to everything. Many things are already shared, but if I have missed something, my wife or oldest daughter needs the keys to the kingdom. We have put many of our documents in a password manager, but we also maintain physical documents. These could be stored in a safe or a safe deposit box. The important part is it’s documented, tested, and routinely updated. Everything from secrets/passwords, medical history/doctors/prescriptions anyone takes, burial, and even a few letters to my girls that I hope they don’t get to read for a very long time, but it’s there for them to read when the time comes. Heck, after losing my father-in-law two years ago, my wife mentioned we should write our obituary so our girls don’t have to worry about it. That may be in our next update.
I hope it did not sound like I’m assuming anyone isn’t thinking or preparing for those worst-case scenarios; I only wanted to highlight some things I feel are worth considering as they tie together in some ways.
I guess one last thought…everyone has different security needs and tolerances. It’s a sliding scale. I’m not the Department of Defense and don’t need the friction to meet their standards. I am okay with the friction of MFA for my sensitive accounts, but do I need MFA to log into the MPU forum? As a user…maybe not. If I were a forum admin, maybe yes.
Sorry for the long post; good luck finding something that meets your needs!
@DEVONtech_Jim Sorry Jim! I meant to reply to @Bmosbacker and hit your name on accident and have no idea how to fix it 
.
1 Like
Assume they will be. What does that look like? How is your data secured on their end? What would a threat actor that gained access be able to obtain? What about their employees? It’s not always an external threat.
1Password and Bitwarden are very transparent about their security models. Very likely, I would do nothing. Perhaps I update my most sensitive accounts as an abundance of caution.
Some light bedtime reading 
- Security audits of 1Password
- About the 1Password security model
- About 1Password and your privacy
- Get to know your Emergency Kit | 1Password
- Security FAQs | Bitwarden Help Center
One important aspect is the third party audits. Are these vendors doing what they say they are doing? Are the following best practices? Even then, there’s ALWAYS risk. Understanding their security models may help you determine if the risk is acceptable.
1 Like
Bitwarden has never been hacked either.
The mindshare among long-time Mac users is because 1PW was originally Apple-only, native, and it was in many ways a breakthrough when it was introduced.
Now it’s a non-native cross-platform Electron app that’s even available for Linux. It’s still a solid option, but no longer as special or one-of-a-kind as it once was.
There are still some native Apple password managers, but afaik they’re all from obscure solo or small devs and don’t get regular 3rd party audits.
1 Like
Am I correct then in understanding that those on this forum with expertise regarding security matters would consider Bitwarden and Password equally secure based on what is known?
I believe they are (though I like the extra layer of 3rd party oversight BW’s open source code provides), but I’m not an infosec professional. Maybe someone who is will respond.
Are Bitwarden and 1Password equally secure? The security of a software program can change in a minute. How many updates have we received from Apple in the past year? Almost every one of them included one or more security updates.
Apple lists details of all the security updates that it issues at Apple security releases - Apple Support.
If you click on the “Name and information link” you can see a brief description of the issue/vulnerability and find the CVE (Common Vulnerabilities and Exposures) number of the report.
One site where you can look up CVE numbers of various companies and software, etc. and do research is cvedetails.com
Care to give us a TL;DL? I can’t handle 2 hours of Laporte, but I am interested what the general thoughts are. Are they dying out despite the tech press making a big deal of them a year ago? I have set up some passkeys, but find them confusing and it’s easier to keep track of password by just using 1P and 2FA.
1 Like
1 Like
Thanks, but a rambling 20 page pdf that seems to be as as long winded as a Twit podcast isn’t much better. I tried to have chatGPT summarize it, but it said 10 pages was too long. 
I scanned it, but didn’t find anything particularly interesting about the use of Passkeys.
Edit: I meant this to be lighthearted, because I found it amusing the PDF was so big, but I completely failed at that.
1 Like
Thanks Wayne for doing that. I was just about to cut and paste myself.
1 Like
I wonder if WWDC will help with this question. Perhaps Apple will make more enhancements to keychain.
1 Like
That’s true, but a careful, thorough, consistent approach to identifying and mitigating vulnerabilities is what to look for, as well as a commitment to fully disclosing issues to users as early as possible.
Some companies are consistently better about this than others, and some are consistently worse.
1 Like
The Keychain Access app, with its database and URI nerdiness, does not feel like a direct competitor to 1Password, with its consumer polish and support. I would put BitWarden and Strongbox (with their KeyPass open source roots) somewhere in the middle of those two.
In my opinion, nothing is “safe”, just a matter of what level of risk you’re willing to accept…
1 Like
Can I back up here and ask a fundamental question?
Why would you need to encrypt your software product keys, specifically? I have them in a markdown document on my SSD which is not synced to the cloud, and the disk is encrypted with FileVault 2 as mandated by Mx processors. Many times having a clear text copy has saved me when I was building a new system (Windows or macOS) and needed those keys in a format as basic as possible, so I didn’t have to first install other software.
What’s wrong with that? Please enlighten me, if I’ve forgotten something.
Secure notes, for me that’s easy; I use that feature on Agenda all the time.